Full Report
A newly discovered phishing-as-a-service (PhaaS) platform, named VoidProxy, targets Microsoft 365 and Google accounts, including those protected by third-party single sign-on (SSO) providers such as Okta. [...]
Analysis Summary
# Tool/Technique: VoidProxy
## Overview
VoidProxy is a newly discovered Phishing-as-a-Service (PhaaS) platform designed to compromise credentials, Multi-Factor Authentication (MFA) codes, and session cookies for Microsoft 365 and Google accounts, including those protected by third-party Single Sign-On (SSO) providers like Okta. It utilizes Adversary-in-the-Middle (AitM) tactics to steal information in real time.
## Technical Details
- Type: Attack Tool / Phishing Service (PhaaS)
- Platform: Web services (Microsoft 365, Google, Okta SSO)
- Capabilities: Real-time credential harvesting, MFA code interception, session cookie capture via AitM proxying, Cloudflare CAPTCHA filtering, disposable domain hosting.
- First Seen: September 2025 (based on article date)
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566 - Phishing
- TA0006 - Credential Access
- T1555.005 - Credentials from Password Managers (Implied via cookie capture)
- TA0009 - Collection
- T1656 - Interception In Transit (Implied via Man-in-the-Middle proxy)
## Functionality
### Core Capabilities
- **Adversary-in-the-Middle (AitM) Proxying:** Relays traffic between the victim and legitimate target servers (Microsoft, Google, Okta) while capturing credentials and MFA codes in transit.
- **Credential and MFA Harvesting:** Directly steals usernames, passwords, and MFA codes as they are entered or presented.
- **Session Cookie Theft:** Intercepts and captures valid session cookies issued by legitimate services, allowing attackers to bypass MFA post-capture.
- **Targeted Delivery:** Redirects selected targets to the legitimate-looking phishing pages, while funneling others to benign pages to evade detection.
### Advanced Features
- **Evasion and Filtering:** Uses Cloudflare Workers environment to filter traffic and serves a Cloudflare CAPTCHA challenge on the malicious site to repel automated bots.
- **Infrastructure Obfuscation:** Hosts phishing sites on disposable, low-cost domains (.icu, .sbs, .cfd, .xyz, .top, .home) and cloaks them behind Cloudflare to conceal the true IP addresses.
- **SSO Compromise:** Specifically targets federated accounts by proxing authentication flows directed at third-party SSO providers like Okta.
- **Admin Panel:** Provides an administrative interface where captured credentials and session cookies are immediately made available to attackers.
- **Email Vector:** Initiates attacks via emails sent from compromised accounts on legitimate ESPs (e.g., Constant Contact, Active Campaign).
## Indicators of Compromise
- File Hashes: [Not specified in article]
- File Names: [Not specified in article]
- Registry Keys: [Not specified in article]
- Network Indicators:
- Initial redirect domains hosted on: `[defanged]://.icu`, `[defanged]://.sbs`, `[defanged]://.cfd`, `[defanged]://.xyz`, `[defanged]://.top`, `[defanged]://.home`
- Initial attack vectors utilize compromised accounts from: `Constant Contact`, `Active Campaign`, `NotifyVisitors`
- Behavioral Indicators:
- Encountering a Cloudflare CAPTCHA challenge on a seemingly legitimate login page.
- Immediate redirection through multiple domains before landing on a login prompt.
- Requests being proxied through a Cloudflare Worker environment to an identity provider.
## Associated Threat Actors
- [Not explicitly named, but operated as a Phishing-as-a-Service platform]
## Detection Methods
- Signature-based detection: [Not specified, requires signatures for known C2 infrastructure or phishing page structure]
- Behavioral detection: Monitoring for proxying behavior directed specifically at identity providers (Microsoft, Google, Okta) after initial link traversal.
- YARA rules: [Not specified]
## Mitigation Strategies
- **Phishing-Resistant Authentication:** Utilize phishing-resistant MFA methods such as FIDO2/WebAuthn (e.g., Okta FastPass), which protected users in this scenario.
- **Device Trust:** Restrict access to sensitive applications only to managed devices.
- **Access Control:** Enforce risk-based access controls.
- **Administrative Security:** Implement IP session binding for administrative applications and force immediate re-authentication for admins attempting sensitive actions.
## Related Tools/Techniques
- Other Adversary-in-the-Middle (AitM) phishing toolkits.
- Other Phishing-as-a-Service (PhaaS) platforms.